Full Report
Key findings and full report from the 6th year of the Active Cyber Defence (ACD) programme.
Analysis Summary
# Incident Report: Active Cyber Defence (ACD) Year 6 Performance Summary
## Executive Summary
This report summarizes the operational findings from the NCSC’s sixth year of the Active Cyber Defence (ACD) programme, highlighting a massive scale of automated threat mitigation. The program successfully removed millions of malicious items, including over 7 million phishing campaigns and hundreds of thousands of fraudulent URLs. The outcome demonstrates that centralized, automated defense mechanisms significantly reduce the "mean time to live" for cyber threats across the UK digital ecosystem.
## Incident Details
- **Discovery Date:** Ongoing (Report published 6 July 2023)
- **Incident Date:** 2022 calendar year
- **Affected Organization:** Various (UK Public Sector, SMEs, and General Public)
- **Sector:** Cross-sector (Government, Finance, Healthcare, etc.)
- **Geography:** United Kingdom (Global source of attacks)
## Timeline of Events
### Initial Access
- **Date/Time:** Continuous throughout 2022.
- **Vector:** Phishing, brand impersonation, and exploitation of unpatched vulnerabilities.
- **Details:** Attackers utilized SMS (Flubot style), email phishing, and fake investment websites to lure UK citizens into providing credentials or downloading malware.
### Lateral Movement
- **Details:** While the ACD report focuses on external prevention, it noted movement via compromised supply chain links and the misuse of legitimate services (like Triage or hosting providers) to host malicious payloads.
### Data Exfiltration/Impact
- **Details:** Massive credential harvesting (primarily targeting government services like HMRC) and financial theft via crypto-scams and "get rich quick" schemes.
### Detection & Response
- **Discovery:** ACD tools (Mail Check, Web Check, Early Warning) and public reporting (772 series).
- **Response Actions:** Automated Takedown Service (SATS) issued notifications to hosting providers; Mail Check enforced DMARC policies to drop unauthenticated emails.
## Attack Methodology
- **Initial Access:** Phishing (Email/SMS) and exploiting public-facing vulnerabilities.
- **Persistence:** Use of legitimate hosting infrastructure to maintain malicious domains.
- **Defense Evasion:** Use of "fast-flux" DNS or frequent URL rotation to bypass static blocklists.
- **Credential Access:** Credential harvesting via look-alike domains (e.g., gov[.]uk clones).
- **Discovery:** Scanning for vulnerable software versions (detected by Web Check).
- **Lateral Movement:** Not the primary focus of this report, but addressed via Early Warning alerts.
- **Collection:** Gathering of PII and financial data through fake web forms.
- **Exfiltration:** Data sent to attacker-controlled C2 servers.
- **Impact:** Financial loss for individuals and service disruption for organizations.
## Impact Assessment
- **Financial:** Extensive, though partially mitigated by the removal of 50k+ investment scams.
- **Data Breach:** High volume of PII and login credentials targeted.
- **Operational:** High burden on IT teams to remediate vulnerabilities flagged by NCSC.
- **Reputational:** Impersonation of 1,900+ different brands (including NCSC itself).
## Indicators of Compromise
- **Network Indicators:** 235,000+ unique malicious URLs identified (defanged: hxxp[://]example-malicious[.]com).
- **File Indicators:** Malicious apps (e.g., FluBot variants) targeting mobile devices.
- **Behavioral Indicators:** Surge in "Get Rich Quick" scams and impersonation of UK government entities.
## Response Actions
- **Containment:** Blocking 90 million harmful "cyber events" via Protective DNS (PDNS).
- **Eradication:** Removal of 7.1 million "locally hosted" malicious items.
- **Recovery:** Proactive notifications sent to over 1,000 organizations regarding potential breaches.
## Lessons Learned
- **Automation is Mandatory:** The volume of attacks (millions per year) makes manual takedowns impossible; automated response is the only way to scale.
- **Public Resilience:** Community reporting (Suspicious Email Reporting Service) is a critical sensor for the national defense strategy.
- **Scam Evolution:** Attackers are shifting from simple malware to complex financial fraud/scams as technical defenses improve.
## Recommendations
- **Implement DMARC:** Use Mail Check to ensure email domains cannot be easily spoofed.
- **Vulnerability Management:** Utilize Web Check to identify and patch "low hanging fruit" vulnerabilities in web-facing infrastructure.
- **Sign up for Early Warning:** Organizations should register for NCSC’s Early Warning service to receive tailored alerts about compromises on their specific IP ranges.